From 4112674599f78067236001b275957c4e79f25daf Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Tue, 23 Dec 2014 13:07:04 +0100 Subject: [PATCH] Update security.conf to version from jessie, but keep ServerTokens at ProductOnly --- modules/apache2/files/security | 43 ++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/modules/apache2/files/security b/modules/apache2/files/security index da8525a92..70ab0f967 100644 --- a/modules/apache2/files/security +++ b/modules/apache2/files/security @@ -1,19 +1,14 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - # # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application -# Debian packages. It will be made the default for the release after lenny. +# Debian packages. # # -# AllowOverride None -# Order Deny,Allow -# Deny from all +# AllowOverride None +# Order Deny,Allow +# Deny from all # @@ -27,9 +22,9 @@ # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. -# #ServerTokens Minimal ServerTokens ProductOnly +#ServerTokens Full # # Optionally add a line containing the server version and virtual host @@ -38,7 +33,6 @@ ServerTokens ProductOnly # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail -# #ServerSignature Off ServerSignature On @@ -49,7 +43,32 @@ ServerSignature On # diagnostic purposes). # # Set to one of: On | Off | extended -# TraceEnable Off #TraceEnable On +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +#Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +#Header set X-Frame-Options: "sameorigin" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet -- 2.20.1